Merge branch 'main' of https://github.com/MicrosoftDocs/azure-stack-docs-pr into validsign7-11

sethmanheim · sethmanheim · commit af3c90041189 · 2025-07-17T12:38:20.000-07:00
diff --git a/.openpublishing.redirection.aks.json b/.openpublishing.redirection.aks.json
@@ -1489,6 +1489,11 @@
         "source_path": "AKS-Arc/tutorial-kubernetes-upgrade-cluster.md",
         "redirect_url": "/azure/aks/aksarc/overview",
         "redirect_document_id": false
+      },
+      {
+        "source_path": "AKS-Arc/aks-hci-network-system-requirements.md",
+        "redirect_url": "/azure/aks/aksarc/network-system-requirements",
+        "redirect_document_id": false
       }
     ]
   }
diff --git a/AKS-Arc/TOC.yml b/AKS-Arc/TOC.yml
@@ -25,7 +25,7 @@
     - name: Networking
       items:
       - name: Networking concepts and requirements
-        href: aks-hci-network-system-requirements.md
+        href: network-system-requirements.md
       - name: IP address planning
         href: aks-hci-ip-address-planning.md
       - name: Load balancer
@@ -201,6 +201,21 @@
       href: connectivity-troubleshoot.md
     - name: Cluster status stuck during upgrade
       href: cluster-upgrade-status.md
+  - name: Security
+    items:  
+    - name: Security book - recommendations and best practices
+      href: /azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
+      displayName: security, best practices, recommendations
+    - name: Securing your platform
+      href: /azure/azure-arc/kubernetes/conceptual-secure-your-platform?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
+    - name: Securing your workloads
+      href: /azure/azure-arc/kubernetes/conceptual-secure-your-workloads?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
+    - name: Securing your operations
+      href: /azure/azure-arc/kubernetes/conceptual-secure-your-operations?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
+    - name: Securing your data
+      href: /azure/azure-arc/kubernetes/conceptual-secure-your-data?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
+    - name: Securing your network
+      href: /azure/azure-arc/kubernetes/conceptual-secure-your-network?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
   - name: Reference
     items:
     - name: Azure CLI
diff --git a/AKS-Arc/arc-gateway-aks-arc.md b/AKS-Arc/arc-gateway-aks-arc.md
@@ -2,25 +2,24 @@
 title: Simplify network configuration requirements with Azure Arc gateway (preview)
 description: Learn how to enable Arc gateway on AKS Arc clusters to simplify network configuration requirements
 ms.topic: how-to
-ms.date: 11/18/2024
+ms.date: 07/15/2025
 author: sethmanheim
-ms.author: sethm 
-ms.reviewer: abha
-ms.lastreviewed: 11/18/2024
-
+ms.author: sethm
+ms.reviewer: srikantsarwa
+ms.lastreviewed: 07/15/2025
 ---
 
-# Simplify network configuration requirements with Azure Arc Gateway (preview)
+# Simplify network configuration requirements with Azure Arc gateway (preview)
 
 If you use enterprise proxies to manage outbound traffic, Azure Arc gateway can help simplify the process of enabling connectivity.
 
-The Azure Arc gateway (currently in preview) lets you:
+The AKS Arc gateway (currently in preview) lets you:
 
 - Connect to Azure Arc by opening public network access to only seven fully qualified domain names (FQDNs).
 - View and audit all traffic that the Arc agents send to Azure via the Arc gateway.
 
 > [!IMPORTANT]
-> Azure Arc gateway is currently in preview.
+> AKS Arc gateway is currently in preview.
 >
 > See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
@@ -29,7 +28,7 @@ The Azure Arc gateway (currently in preview) lets you:
 The Arc gateway works by introducing two new components:
 
 - The **Arc gateway resource** is an Azure resource that serves as a common front end for Azure traffic. The gateway resource is served on a specific domain/URL. You must create this resource by following the steps described in this article. After you successfully create the gateway resource, this domain/URL is included in the success response.
-- The **Arc Proxy** is a new component that runs as its own pod (called *Azure Arc Proxy*). This component acts as a forward proxy used by Azure Arc agents and extensions. There is no configuration required on your part for the Azure Arc Proxy.
+- The **Arc Proxy** is a new component that runs as its own pod (called _Azure Arc Proxy_). This component acts as a forward proxy used by Azure Arc agents and extensions. There is no configuration required on your part for the Azure Arc Proxy.
 
 For more information, see [how the Azure Arc gateway works](/azure/azure-arc/kubernetes/arc-gateway-simplify-networking?tabs=azure-cli).
 
@@ -52,36 +51,36 @@ For more information, see [how the Azure Arc gateway works](/azure/azure-arc/kub
 
 ## Confirm access to required URLs
 
-Ensure your Arc gateway URL and all of the URLs below are allowed through your enterprise firewall:
+Ensure your Arc gateway URL and all of the following URLs are allowed through your enterprise firewall:
 
-|URL  |Purpose  |
-|---------|---------|
-|`[Your URL prefix].gw.arc.azure.com`       | Your gateway URL. You can obtain this URL by running `az arcgateway list` after you create the resource.         |
-|`management.azure.com`    |Azure Resource Manager endpoint, required for the Azure Resource Manager control channel.         |
-|`<region>.obo.arc.azure.com`     |Required when `az connectedk8s proxy` is used.         |
-|`login.microsoftonline.com`, `<region>.login.microsoft.com`     | Microsoft Entra ID endpoint, used for acquiring identity access tokens.         |
-|`gbl.his.arc.azure.com`, `<region>.his.arc.azure.com`   |The cloud service endpoint for communicating with Arc Agents. Uses short names; for example `eus` for East US.          |
-|`mcr.microsoft.com`, `*.data.mcr.microsoft.com`     |Required to pull container images for Azure Arc agents.         |
+| URL                                                         | Purpose                                                                                                        |
+| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- |
+| `[Your URL prefix].gw.arc.azure.com`                        | Your gateway URL. You can obtain this URL by running `az arcgateway list` after you create the resource.       |
+| `management.azure.com`                                      | Azure Resource Manager endpoint, required for the Azure Resource Manager control channel.                      |
+| `<region>.obo.arc.azure.com`                                | Required when `az connectedk8s proxy` is used.                                                                 |
+| `login.microsoftonline.com`, `<region>.login.microsoft.com` | Microsoft Entra ID endpoint, used for acquiring identity access tokens.                                        |
+| `gbl.his.arc.azure.com`, `<region>.his.arc.azure.com`       | The cloud service endpoint for communicating with Arc Agents. Uses short names; for example, `eus` for East US. |
+| `mcr.microsoft.com`, `*.data.mcr.microsoft.com`             | Required to pull container images for Azure Arc agents.                                                        |
 
-## Create an AKS Arc cluster with Arc gateway enabled
+## Create an AKS Arc cluster with AKS Arc gateway enabled
 
-Run the following command to create an AKS Arc cluster with the Arc gateway enabled:
+Run the following command to create an AKS Arc cluster with the AKS Arc gateway enabled:
 
 ```azurecli
 az aksarc create -n $clusterName -g $resourceGroup --custom-location $customlocationID --vnet-ids $arcVmLogNetId --aad-admin-group-object-ids $aadGroupID --gateway-id $gatewayId --generate-ssh-keys
 ```
 
-## Update an AKS Arc cluster and enable Arc gateway
+## Update an AKS Arc cluster and enable the AKS Arc gateway
 
-Run the following command to update an AKS Arc cluster to enable Arc gateway:
+Run the following command to update an AKS Arc cluster to enable the AKS Arc gateway:
 
 ```azurecli
 az aksarc update -n $clusterName -g $resourceGroup --gateway-id $gatewayId
 ```
 
-## Disable Arc gateway on an AKS Arc cluster
+## Disable the AKS Arc gateway on an AKS Arc cluster
 
-Run the following command to disable Arc gateway:
+Run the following command to disable the AKS Arc gateway:
 
 ```azurecli
 az aksarc update -n $clusterName -g $resourceGroup --disable-gateway
@@ -92,7 +91,7 @@ az aksarc update -n $clusterName -g $resourceGroup --disable-gateway
 To audit your gateway traffic, view the gateway router logs:
 
 1. Run `kubectl get pods -n azure-arc`.
-1. Identify the Arc Proxy pod (its name will begin with `arc-proxy-`).
+1. Identify the Arc Proxy pod (its name begins with `arc-proxy-`).
 1. Run `kubectl logs -n azure-arc <Arc Proxy pod name>`.
 
 ## Other scenarios
diff --git a/AKS-Arc/azure-rbac-local.md b/AKS-Arc/azure-rbac-local.md
@@ -222,3 +222,4 @@ az role definition delete -n "AKS Arc Deployment Reader"
 - [Access and identity options](concepts-security-access-identity.md) for AKS enabled by Azure Arc
 - [Create an Azure service principal with Azure CLI](/cli/azure/azure-cli-sp-tutorial-1)
 - Available Azure permissions for [Hybrid + Multicloud](/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/concepts-security-access-identity.md b/AKS-Arc/concepts-security-access-identity.md
@@ -154,3 +154,4 @@ The following table contains a summary of how users can authenticate to Kubernet
 
 - To get started with Kubernetes RBAC for Kubernetes authorization, see [Control access using Microsoft Entra ID and Kubernetes RBAC](kubernetes-rbac-local.md)
 - To get started with Azure RBAC for Kubernetes authorization, see [Use Azure RBAC for Kubernetes Authorization](azure-rbac-local.md)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/configure-ssh-keys.md b/AKS-Arc/configure-ssh-keys.md
@@ -80,3 +80,4 @@ For information about error messages that can occur when you create and deploy a
 - [Connect to Windows or Linux worker nodes with SSH](ssh-connect-to-windows-and-linux-worker-nodes.md)
 - [Restrict SSH access to specific IP addresses](restrict-ssh-access.md)
 - [Get on-demand logs for troubleshooting](get-on-demand-logs.md)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/enable-authentication-microsoft-entra-id.md b/AKS-Arc/enable-authentication-microsoft-entra-id.md
@@ -75,3 +75,4 @@ Enable Microsoft Entra authentication on your existing Kubernetes cluster using
 - [Access and identity options for AKS enabled by Azure Arc](concepts-security-access-identity.md)
 - [Microsoft Entra integration with Kubernetes RBAC](kubernetes-rbac-local.md)
 - [Use Azure role-based access control (RBAC) for Kubernetes authorization](azure-rbac-local.md)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/encrypt-etcd-secrets.md b/AKS-Arc/encrypt-etcd-secrets.md
@@ -105,6 +105,7 @@ If you encounter any errors with the KMS plugin, follow the procedure on the [Tr
 
 ## Next steps
 
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
 - [Create Kubernetes clusters](aks-create-clusters-cli.md#deploy-the-application-and-load-balancer)
 - [Deploy a Linux application on a Kubernetes cluster](deploy-linux-application.md)
 
diff --git a/AKS-Arc/kubernetes-rbac-entra-id.md b/AKS-Arc/kubernetes-rbac-entra-id.md
@@ -236,3 +236,4 @@ Error from server (Forbidden): pods is forbidden: User cannot list resource "pod
 ## Next steps
 
 - [Learn more about security in AKS Arc on Windows Server](concepts-security.md)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/kubernetes-rbac-local.md b/AKS-Arc/kubernetes-rbac-local.md
@@ -250,3 +250,4 @@ Error from server (Forbidden): pods is forbidden: User cannot list resource "pod
 ## Next steps
 
 - [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/network-system-requirements.md b/AKS-Arc/network-system-requirements.md
@@ -2,11 +2,11 @@
 title: AKS enabled by Azure Arc network requirements
 description: Learn about AKS network prerequisites.
 ms.topic: overview
-ms.date: 07/02/2025
+ms.date: 07/17/2025
 author: sethmanheim
 ms.author: sethm
 ms.reviewer: srikantsarwa
-ms.lastreviewed: 07/10/2025
+ms.lastreviewed: 07/17/2025
 ---
 
 # AKS enabled by Azure Arc network requirements
@@ -86,6 +86,22 @@ When you deploy Azure Local, you allocate a contiguous block of at least [six st
 | 55000 | IP addresses in management network | Logical network used for AKS Arc VMs | Cloud Agent gRPC server | If you use separate VLANs, the AKS Arc VMs need to access the IP addresses in management network used for cloud agent IP and cluster IP on this port and vice-versa. |
 | 65000 | IP addresses in management network | Logical network used for AKS Arc VMs | Cloud Agent gRPC authentication | If you use separate VLANs, the AKS Arc VMs need to access the IP addresses in management network used for cloud agent IP and cluster IP on this port and vice-versa. |
 
+## Use Azure Arc gateway (preview) with Azure Local
+
+If you use [Arc gateway](/azure/azure-local/deploy/deployment-azure-arc-gateway-overview) to deploy your Azure Local cluster infrastructure, make sure that connectivity between the AKS subnet and the cluster IP is allowed on port **40343**, as follows:
+
+| Destination port | Destination                     | Source                          | Description                                                                 | Bi-directional cross-VLAN networking notes |
+|------------------|---------------------------------|---------------------------------|-----------------------------------------------------------------------------|--------------------------------------------|
+| **40343**        | Cluster IP address |  Logical network used for AKS Arc VMs | Required only when the Azure Local cluster is configured with Arc Gateway for outbound connectivity. | If you use separate VLANs or subnets, ensure that the AKS Arc VMs can reach the Azure Local cluster IP address on port **40343**, and vice versa. |
+
+### Retrieve the Azure Local cluster IP address
+
+You can run the following PowerShell commands on the cluster to get the IP address of the Azure Local cluster:
+
+```powershell
+Get-ClusterResource -Name "Cluster IP Address" | Get-ClusterParameter -Name Address | Select-Object -Property Value
+```
+
 ## Next steps
 
 [IP address planning and considerations for Kubernetes clusters and applications](aks-hci-ip-address-planning.md)
diff --git a/AKS-Arc/network-validation-errors.md b/AKS-Arc/network-validation-errors.md
@@ -4,9 +4,9 @@ description: Learn how to troubleshoot general network validation errors in AKS
 author: sethmanheim
 ms.author: sethm
 ms.topic: troubleshooting
-ms.date: 05/07/2025
-ms.reviewer: pradwivedi
-ms.lastreviewed: 05/06/2025
+ms.date: 07/17/2025
+ms.reviewer: srikantsarwa
+ms.lastreviewed: 07/16/2025
 
 ---
 
@@ -60,6 +60,32 @@ This error indicates that the required URLs are not reachable from the AKS clust
 
 To resolve this error, ensure that the logical network IP addresses have outbound internet access. If there's a firewall, ensure that the [AKS required URLs](aks-hci-network-system-requirements.md#firewall-url-exceptions) are accessible from the Arc VM logical network.
 
+## InternetConnectivityError (in Arc Gateway scenario)
+
+Error: Network validation failed during cluster creation.
+
+### Description
+
+Detailed message: `Not able to connect to https://mcr.microsoft.com. Error returned: action failed after 5 attempts: Get "https://mcr.microsoft.com": proxyconnect tcp: dial tcp 192.168.2.100:40343: connect: connection refused`.
+
+### Causes of failure
+
+- The control plane VM can't reach the Azure Local cluster IP on port **40343**, which is required when Arc Gateway is enabled.
+- The firewall or network security rules block traffic between the AKS subnet and the cluster IP.
+- Proxy settings are incorrect, or the proxy does not allow connections to `mcr.microsoft.com`.
+
+### Mitigation
+
+To resolve this error, you can take the following steps:
+
+- Ensure that the **AKS subnet has connectivity to the Azure Local Cluster IP on port `40343`**.  
+- Verify that the Arc Gateway service on the Azure Local Cluster is running and listening on port `40343`.  
+- Check firewall or NSG rules to ensure that traffic between the AKS VMs and the Cluster IP on `40343` is allowed.  
+- Confirm that proxy settings (if used) are correct and that the proxy can forward requests to `https://mcr.microsoft.com`.  
+- Test connectivity to `https://mcr.microsoft.com` from the control plane VM, either directly or via the configured proxy.
+
+For more information, see [Use Azure Arc Gateway with Azure Local](aks-hci-network-system-requirements.md#use-azure-arc-gateway-preview-with-azure-local).
+
 ## VMNotReachableError
 
 Error: Network validation failed during cluster creation.
diff --git a/AKS-Arc/restrict-ssh-access.md b/AKS-Arc/restrict-ssh-access.md
@@ -42,3 +42,4 @@ This command does two things: it limits the scope of the command, and it also li
 
 - [Restrict SSH access (AKS on Azure Local 22H2)](restrict-ssh-access-22h2.md)
 - [AKS enabled by Arc overview](aks-overview.md)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/retrieve-admin-kubeconfig.md b/AKS-Arc/retrieve-admin-kubeconfig.md
@@ -19,3 +19,4 @@ ms.reviewer: leslielin
 ## Next steps
 
 - [Use Azure RBAC for Kubernetes authorization](azure-rbac-23h2.md)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/ssh-connect-to-windows-and-linux-worker-nodes.md b/AKS-Arc/ssh-connect-to-windows-and-linux-worker-nodes.md
@@ -78,3 +78,4 @@ If you encounter SSH login issues, verify that your IP address is included in th
 
 - [Use SSH keys to get on-demand logs for troubleshooting](get-on-demand-logs.md)
 - [Configure SSH keys for an AKS Arc cluster](configure-ssh-keys.md)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/workload-identity.md b/AKS-Arc/workload-identity.md
@@ -351,3 +351,5 @@ az aksarc delete -n $aks_cluster_name -g $resource_group_name
 
 In this article, you deployed a Kubernetes cluster and configured it to use a workload identity in preparation for application workloads to
 authenticate with that credential. Now you're ready to deploy your application and configure it to use the workload identity with the latest version of the [Azure Identity client library](/azure/active-directory/develop/reference-v2-libraries).
+
+You can also help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/azure-local/concepts/gateway-overview.md b/azure-local/concepts/gateway-overview.md
diff --git a/azure-local/manage/health-service-faults.md b/azure-local/manage/health-service-faults.md
diff --git a/azure-local/plan/cloud-deployment-network-considerations.md b/azure-local/plan/cloud-deployment-network-considerations.md

Original file line number	Diff line number	Diff line change
`@@ -1489,6 +1489,11 @@`
`1489`	`1489`	`"source_path": "AKS-Arc/tutorial-kubernetes-upgrade-cluster.md",`
`1490`	`1490`	`"redirect_url": "/azure/aks/aksarc/overview",`
`1491`	`1491`	`"redirect_document_id": false`
	`1492`	`+ },`
	`1493`	`+ {`
	`1494`	`+ "source_path": "AKS-Arc/aks-hci-network-system-requirements.md",`
	`1495`	`+ "redirect_url": "/azure/aks/aksarc/network-system-requirements",`
	`1496`	`+ "redirect_document_id": false`
`1492`	`1497`	`}`
`1493`	`1498`	`]`
`1494`	`1499`	`}`
Original file line number	Diff line number	Diff line change
`@@ -154,3 +154,4 @@ The following table contains a summary of how users can authenticate to Kubernet`
`154`	`154`
`155`	`155`	`- To get started with Kubernetes RBAC for Kubernetes authorization, see [Control access using Microsoft Entra ID and Kubernetes RBAC](kubernetes-rbac-local.md)`
`156`	`156`	`- To get started with Azure RBAC for Kubernetes authorization, see [Use Azure RBAC for Kubernetes Authorization](azure-rbac-local.md)`
	`157`	`+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).`
Original file line number	Diff line number	Diff line change
`@@ -236,3 +236,4 @@ Error from server (Forbidden): pods is forbidden: User cannot list resource "pod`
`236`	`236`	`## Next steps`
`237`	`237`
`238`	`238`	`- [Learn more about security in AKS Arc on Windows Server](concepts-security.md)`
	`239`	`+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).`
Original file line number	Diff line number	Diff line change
`@@ -250,3 +250,4 @@ Error from server (Forbidden): pods is forbidden: User cannot list resource "pod`
`250`	`250`	`## Next steps`
`251`	`251`
`252`	`252`	`- [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview)`
	`253`	`+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).`